Azure Virtual Network Architecture

Resource Group: rg-production-eastus2  |  Region: East US 2

Active v1.4.0
🌐
1
Virtual Network
📦
4
Subnets
🛡
2
NSG Rules Sets
🗺
2
Route Tables
🔄
1
NAT Gateway
🔗
1
VNet Peering
📐 Network Flow Diagram
🌍
Internet
External Traffic
🚪
Internet Gateway
igw-prod-01
🔄
NAT Gateway
ngw-prod-01 · 20.42.x.x
🛡
Network Security Groups
nsg-public-subnet  |  nsg-private-subnet
🌐 Public Subnet
🖥 Web VMs
10.0.1.0/24
⚖ Load Balancer
10.0.2.0/24
🔒 Private Subnet
⚙ App VMs
10.0.3.0/24
🗄 Database
10.0.4.0/24
🌐 Virtual Network
🌐
vnet-production-eastus2
Azure Virtual Network  ·  East US 2  ·  Microsoft.Network/virtualNetworks
10.0.0.0/16
Resource ID
/subscriptions/xxxx/rg-production/vnet-prod
DNS Servers
168.63.129.16 (Azure Default)
DDoS Protection
✔ Standard Enabled
Encryption
✔ AllowUnencrypted
📦 Subnets
🌐 Public Subnet
snet-web-public
10.0.1.0/24  ·  251 usable IPs
🛡 NSG nsg-web-public
🗺 Route Table rt-public-internet
🔌 Service Endpoints Microsoft.Storage
🌍 Public IP Auto-assign Enabled
Resources 3 VMs, 1 LB
🌐 Public Subnet
snet-lb-public
10.0.2.0/24  ·  251 usable IPs
🛡 NSG nsg-web-public
🗺 Route Table rt-public-internet
Load Balancer lb-frontend-prod
🔄 Application Gateway agw-waf-prod
🌍 Public IP 20.42.15.201
🔒 Private Subnet
snet-app-private
10.0.3.0/24  ·  251 usable IPs
🛡 NSG nsg-app-private
🗺 Route Table rt-private-nat
🔄 NAT Gateway ngw-prod-01 (Outbound)
🌍 Public IP None (Private Only)
Resources 5 App VMs
🔒 Private Subnet
snet-db-private
10.0.4.0/24  ·  251 usable IPs
🛡 NSG nsg-app-private
🗺 Route Table rt-private-nat
🔗 Private Endpoint Microsoft.Sql
🌍 Public IP None (Isolated)
🗄 Resources Azure SQL MI, Redis
⚙ Network Resources
🗺
rt-public-internet
Route Table · Public Subnets · 4 Routes
Route Name Prefix Next Hop
DefaultRoute 0.0.0.0/0 Internet
VNetLocal 10.0.0.0/16 VNet Local
PeeringRoute 172.16.0.0/12 VNet Peering
BlockRFC1918 192.168.0.0/16 None
Propagate GW routes: OFF
Associated: snet-web-public, snet-lb-public
🗺
rt-private-nat
Route Table · Private Subnets · 4 Routes
Route Name Prefix Next Hop
NATOutbound 0.0.0.0/0 NAT Gateway
VNetLocal 10.0.0.0/16 VNet Local
PeeringRoute 172.16.0.0/12 VNet Peering
BlockInternet 1.0.0.0/8 None
Propagate GW routes: OFF
Associated: snet-app-private, snet-db-private
🛡
nsg-web-public
Network Security Group · Public Tier · 8 Rules
100
IN
Allow-HTTPS-In
TCP:443 · Any→Any
Allow
110
IN
Allow-HTTP-In
TCP:80 · Any→Any
Allow
120
IN
Allow-SSH-Bastion
TCP:22 · 10.0.5.0/24
Allow
200
OUT
Allow-All-Outbound
Any · Any→Any
Allow
4096
IN
DenyAll-Inbound
Any · Any→Any
Deny
Flow Logs: Enabled → Storage Account
Diagnostic Logs: Log Analytics
🛡
nsg-app-private
Network Security Group · Private Tier · 10 Rules
100
IN
Allow-AppPort-LB
TCP:8080 · 10.0.1.0/24
Allow
110
IN
Allow-DB-App
TCP:1433 · 10.0.3.0/24
Allow
120
IN
Allow-Redis
TCP:6379 · 10.0.3.0/24
Allow
130
IN
Allow-AzureMonitor
Any · AzureMonitor tag
Allow
200
OUT
Allow-NAT-Out
TCP:443 · Any→Internet
Allow
4096
IN
DenyAll-Inbound
Any · Any→Any
Deny
🔄
ngw-prod-01
NAT Gateway · Private Subnet Outbound · Active
Resource Type
Microsoft.Network/natGateways
SKU
Standard
Idle Timeout
4 minutes
Availability Zone
Zone 1
TCP Ports (per IP)
64,512
Associated Subnets
snet-app-private, snet-db-private
Public IP (Static)
20.42.187.94
Public IP Prefix
20.42.187.80/28
🔗
VNet Peering & DNS
Peering Configuration & Name Resolution
⛓ peer-prod-to-hub
Peer VNet vnet-hub-eastus2
Peer Address Space 172.16.0.0/16
Status ● Connected
Allow VNet Access Enabled
Allow Forwarded Traffic Enabled
Allow GW Transit Disabled
Use Remote Gateways Disabled
🔍 DNS Configuration
DNS Type Azure-Provided Default
Primary DNS 168.63.129.16
Private DNS Zone prod.internal.azure
Auto Registration Enabled
🚦 Traffic Flow Summary
Source Destination Protocol / Port Path NSG Status
🌍 Internet 🖥 Web VMs (Public) TCP 443 / 80 IGW → NSG → snet-web-public nsg-web-public ✔ Allowed
⚖ Load Balancer ⚙ App VMs (Private) TCP 8080 snet-lb → rt-public → snet-app-private nsg-app-private ✔ Allowed
⚙ App VMs 🗄 Azure SQL / Redis TCP 1433 / 6379 snet-app → NSG → snet-db-private nsg-app-private ✔ Allowed
⚙ App VMs (Private) 🌍 Internet (Outbound) TCP 443 snet-app → rt-private-nat → NAT GW → Internet nsg-app-private ✔ Via NAT
🌍 Internet 🗄 Database (Private) Any Blocked by NSG DenyAll nsg-app-private ✗ Denied
🔗 Hub VNet Peer 🔒 Private Subnets Any VNet Peering → rt-private-nat → Internal nsg-app-private ✔ Peered
  Azure VNet Architecture  ·  East US 2  ·  rg-production-eastus2
Generated: May 2026  ·  Address Space: 10.0.0.0/16  ·  4 Subnets · 2 NSGs · 2 Route Tables · 1 NAT GW